How to Deploy a VPN Server

Typically Windows Server supports two types of VPN connections: PPTP

(Point-to-Point Tunneling Protocol) and L2TP/IPSec. The first 'PPTP' is the

simplest amongst the two and easier to setup. But as compared to L2TP/IPSec, it

is less secure and hence organizations go for the second option. The reason

being, for PPTP the authentication process is not done over secured connections

hence credentials can be lost to hackers and thus they can have access to the

VPN server. The secure connection is setup only after the authentication is

done. In the case of L2TP/IPSec, before the user credentials are sent to the VPN

server for authentication, a secure IPSec session is established between the

client and server. Hence making it more difficult for hackers to break. Moreover

L2TP/IPSec provide mutual machine authentication, where the local machine should

have a certificate issued by proper authority.

There's a new type of VPN connection introduced with Windows Server 2008,

which is also supported by Windows Vista SP1, called 'SSTP' (Secure Socket

Tunneling protocol). It uses SSL HTTP connection to connect to the VPN server at

your workplace. The reason behind introducing this new VPN connection is that it

uses TCP port 443 which is by default open in almost all firewalls. Hence if you

are in some hotel or any public place where a lot of Zports are blocked, even

then you will not find any difficulty in connecting to your corporate network.

And also the network administrator needn't worry about allowing a particular

port in the firewall specifically for you.

Now, let's enable VPN on Windows Server 2008 system.

Enabling VPN on Windows Server 2008



For this article, we assume that you have a system running Windows Server 2008.
Along with that you should have configured Active Directory, DNS and DHCP server

on that machine.

First start the Windows Server 2008 server manager, and click on 'add role'

option. Then click on Next button to proceed. Now a list of different server

roles will be listed; here, select 'Network Policy and Access Services' option

and click on Next. An information page will appear which shows you the

introduction of network policy and access services. Click on next to proceed

further. Next, in the 'Role services' option check the 'Remote and Routing

Access Services.' Then it will ask for the confirmation of components that are

going to be installed on the system; click on the install button to start the

installation process. Once installation is complete click on Finish to exit the

wizard.

Configuring the VPN



After the installation is over, configure the VPN to make it work according to
your requirements. To configure the VPN, open the Server Manager console and

expand the role node found on the left side. From the list of roles installed on

the system expand the 'Network policy and Access' node. Then right click on

'Routing and Remote Access' and then click on 'configure and enable routing and

remote access' option, which starts up a wizard to configure the VPN server.

As the wizard starts, click on Next to proceed. Select the 'Remote Access'

option which will enable the remote client to connect via dial up or via VPN,

and click on the Next. For VPNs, check the VPN check box which will enable the

server to accept remote connection from client through Internet. Make sure you

have two NICs else Windows Server 2008 will prompt with an error message and the

wizard will exit. Next select 'Remote Access' option and then click on Next

again. Now check the 'VPN' check box. Then select the NIC on which the system

connects to the Internet; in other words, through which the remote client will

connect. Select the appropriate NIC. Next you have two options: first the system

will automatically assign IP to the remote client and second, is that you can

specify the IP range, i.e. you limit the number of users connected through VPN.

We choose the second option and provide the range of IPs by clicking on the New

button in the next step. If you have a Radius server then you can setup

authentication using it else choose the second option, ie using Routing and

Remote Access to authenticate request. Once, the configuration is over, click on

the Finish button to exit the wizard.

On Windows server 2008, open the Service Manager. On the left panel, right click on the role node and click on 'Add role' option.

Connecting to VPN Server



Once the configuration is over, we will connect a remote client to it. We tried
connecting with a Windows Vista-based machine, which was pretty simple. First

open up control panel and navigate to the network and sharing center. Then click

on 'setup a connection or network link, and a wizard opens up. Choose the option

'connect to a workplace'. Next it prompts you for network address and

destination name; specify a name for the VPN connection and then specify the IP

address of the VPN server. Next it will prompt you for user credentials. Provide

the username and password for logging into the VPN server and then click on

Connect. Finally it that you are connected to the network and the VPN server

specifies an IP to your machine. Windows Vista will prompt you to choose the

location of the network and to configure the firewall accordingly for the new

network. Choose work from the list of the options and click on the Continue

button. And finally close the wizard.

Now you will be able to access all the authorized internal network resources

and can work from anywhere of the globe (provide you have Internet).

A role installation wizard starts up. Here, check the 'Network Policy and Access Service' option from the list of roles.

Implementing OpenVPN



OpenVPN is a open source and free VPN solution, which can be implemented on
Windows or Linux machine. The configuration of OpenVPN is not too complex as

compared to Window machine. The pre-requisite for OpenVPN is that the system

must be Windows 2000 or higher. And in case of Linux system, they must have

support for TUN/TAP driver, openssl libraries and LZO compression library.

Select 'Remote Access' and click on next. Now check the VPN option while you access the server over VPN.

Installing OpenVPN



We installed OpenVPN on Fedora 10 machine without any hassle. For installing
OpenVPN, run the following command on terminal with root privilege:

#yum install openvpn

It will automatically handle all the dependency issue and install OpenVPN. If

the clients are also running on Fedora 10, there is a OpenVPN integration module

available for GNOME network manager, which provides graphical interface for

remote clients to connect to the VPN server at the workplace. For installing the

the OpenVPN module for network manager, run the following command:

#yum install NetworkManager-openvpn

Here, RRAS configuration wizard asks you to select the NIC for the incoming VPN connection request that you want to accept from the client.

Creating Certificate



Once the installation is done it's time to configure the OpenVPN to suit your
requirements. Check if the OpenVPN is running properly by starting the OpenVPN

daemon. Now stop the OpenVPN daemon, and copy all the files under '/usr/share/openvpn/easy-rsa/2.0/'

to '/etc/openvpn/'. Now open the file 'vars' and change the values of the

following as per your requirement. This file will be used to create

certificates, which will be used both by client and server.

export KEY_COUNTRY="IN"



export KEY_PROVINCE="ND"


export KEY_CITY="DELHI"


export KEY_ORG="PCQUEST"


export KEY_EMAIL="xyz@pcquest.com"

Also you can change the path of the folder where all the keys will be

generated, by modifying the following line:

export KEY_DIR="/etc/openvpn/keys" # in our case its

inside the openvpn directory

After you have modified the 'vars' file, navigate to '/etc/openvpn/'

directory, and run the following command for generating certificate for sever

and clients:

#./vars



#./clean-all


#./build-ca

The clean-all command clears all the existing (if any) from the 'keys'

directory, residing inside '/etc/openvpn/' and build-ca creates a certificate

named ca.crt and a key file named ca.key. In the process of creation, it asks

for some detail which we have already feeded in the 'vars' file, so just press

enter when asked.

Next, we create a certificate and key for the VPN server which resides at

your organization, for which, run the following command:

#./build-key-server vpnserver1

You can replace 'vpnserver1' with any logical name or hostname. Similar to

the certificate creation process, the build-key-server process will also ask

some questions which are already feeded in the vars file. Hence just press

'Enter', and provide a suitable password. Else you can leave it blank also. Then

it asks you to sign the certificate, for which press 'Y'.



Next we create certificate and key for client, by running the following command:

#./build-key vpnclient1 #replace vpnclient1 with

any logical name of hostname you prefer

Here, you have two options to give IP address to remote clients. Either the server can give a default IP or you can specify a range of IP for remote clients.

Similar to the server certificate creation, this process also asks questions.

Just press 'Enter' for the default values and when asked for the 'Common Name',

verify that it has taken 'vpnclient1'. If not, provide the common name with any

logical or host name of the machine. Once the process is complete, certificate

and key for one client will be generated. If you want more then one client to

connect to the VPN server, then repeat the client certificate creation process

for creating unique certificates for each of the client. Now run the following

command to create '.pem' file:

#./build-dh

Configuring OpenVPN



Next copy the server.conf file from '/usr/share/doc/openvpn/sample-config-files'
folder to '/etc/openvpn/' and open the file with text editor. Find and change

the following in server.conf file:

ca keys/ca.crt



cert keys/vpnserver1.crt


key keys/vpnserver1.key


dh keys/dh2048.pem


log openvpn.log

In the above code, we provided correct path for ca, cert, key and pem files

which will be used by OpenVPN and next we have also told OpenVPN to create a log

file inside the OpenVPN directory. If you do not prefer to use the syslog.

Finally start the OpenVPN server, by executing the following command:

#/etc/init.d/openvpn start

On fedora, right click on the network manager, select the VPN connection and then click on 'Configure VPN' option.

Client Configuration



Now let's see how to configure client to connect to the organization's VPN
server. First copy vpnclient1.crt, vpnclient1.key and ca.crt to the client

machine from the server, where we have created the client certificate.

Then click on the 'GNOME' network manager and select 'VPN Connections', and

then click on 'Configure VPN' option. For creating a new VPN connection, click

on 'Add' button and choose 'OpenVPN' from the drop down list. Next click on

'Create' button. A new window will open up asking necessary details. Give a

suitable name for the VPN connection such as 'Connecttoserver'.

Provide authority certificate, clients certificate and key, specify the private key password and click on 'Apply'.

In the gateway option, provide the address of the VPN server where we have

configured the OpenVPN server. Next in the user certificate option, provide the

file 'vpnclient1.crt', in the CA certificate option, provide file ca.crt, and in

the private key option provide 'vpnclient1.key'. Then specify the password and

click on 'Apply.' Finally everything is configured and ready to go.

Now click on the GNOME network manager, select VPN connections and click on

the 'Connecttoserver' option. Wait for couple of seconds and you are now

connected to the VPN server. Now type out 'ifconfig' on the terminal of your

system, you will find that you have, IP 10.8.0.6, for example.